/* * Copyright (c) 2015 Cisco and/or its affiliates. * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at: * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ #include <ctype.h> #include <vnet/vnet.h> #include <vnet/api_errno.h> #include <vnet/ip/ip.h> #include <vnet/interface.h> #include <vnet/ipsec/ipsec.h> #include <plugins/ikev2/ikev2.h> #include <plugins/ikev2/ikev2_priv.h> /* *INDENT-OFF* */ typedef CLIB_PACKED (struct { u8 nextpayload; u8 flags; u16 length; u8 protocol_id; u8 spi_size; u16 msg_type; u8 payload[0]; }) ike_notify_payload_header_t; /* *INDENT-ON* */ /* *INDENT-OFF* */ typedef CLIB_PACKED (struct { ip4_address_t start_addr; ip4_address_t end_addr; }) ikev2_ip4_addr_pair_t; typedef CLIB_PACKED (struct { ip6_address_t start_addr; ip6_address_t end_addr; }) ikev2_ip6_addr_pair_t; typedef CLIB_PACKED (struct { u8 ts_type; u8 protocol_id; u16 selector_len; u16 start_port; u16 end_port; u8 addr_pair[0]; }) ikev2_ts_payload_entry_t; /* *INDENT-OFF* */ /* *INDENT-OFF* */ typedef CLIB_PACKED (struct { u8 nextpayload; u8 flags; u16 length; u8 num_ts; u8 reserved[3]; ikev2_ts_payload_entry_t ts[0]; }) ike_ts_payload_header_t; /* *INDENT-OFF* */ /* *INDENT-OFF* */ typedef CLIB_PACKED (struct { u8 last_or_more; u8 reserved; u16 proposal_len; u8 proposal_num; u8 protocol_id; u8 spi_size; u8 num_transforms; u32 spi[0]; }) ike_sa_proposal_data_t; /* *INDENT-OFF* */ /* *INDENT-OFF* */ typedef CLIB_PACKED (struct { u8 last_or_more; u8 reserved; u16 transform_len; u8 transform_type; u8 reserved2; u16 transform_id; u8 attributes[0]; }) ike_sa_transform_data_t; /* *INDENT-OFF* */ /* *INDENT-OFF* */ typedef CLIB_PACKED (struct { u8 nextpayload; u8 flags; u16 length; u8 protocol_id; u8 spi_size; u16 num_of_spi; u32 spi[0]; }) ike_delete_payload_header_t; /* *INDENT-OFF* */ static ike_payload_header_t * ikev2_payload_add_hdr (ikev2_payload_chain_t * c, u8 payload_type, int len) { ike_payload_header_t *hdr = (ike_payload_header_t *) & c->data[c->last_hdr_off]; u8 *tmp; if (c->data) hdr->nextpayload = payload_type; else c->first_payload_type = payload_type; c->last_hdr_off = vec_len (c->data); vec_add2 (c->data, tmp, len); hdr = (ike_payload_header_t *) tmp; clib_memset (hdr, 0, len); hdr->length = clib_host_to_net_u16 (len); return hdr; } static void ikev2_payload_add_data (ikev2_payload_chain_t * c, u8 * data) { u16 len; ike_payload_header_t *hdr; vec_append (c->data, data); hdr = (ike_payload_header_t *) & c->data[c->last_hdr_off]; len = clib_net_to_host_u16 (hdr->length); hdr->length = clib_host_to_net_u16 (len + vec_len (data)); } void ikev2_payload_add_notify (ikev2_payload_chain_t * c, u16 msg_type, u8 * data) { ikev2_payload_add_notify_2(c, msg_type, data, 0); } void ikev2_payload_add_notify_2 (ikev2_payload_chain_t * c, u16 msg_type, u8 * data, ikev2_notify_t * notify) { ike_notify_payload_header_t *n; n = (ike_notify_payload_header_t *) ikev2_payload_add_hdr (c, IKEV2_PAYLOAD_NOTIFY, sizeof (*n)); n->msg_type = clib_host_to_net_u16 (msg_type); if (notify) { n->protocol_id = notify->protocol_id; if (notify->spi) { n->spi_size = 4; } } ikev2_payload_add_data (c, data); } void ikev2_payload_add_sa (ikev2_payload_chain_t * c, ikev2_sa_proposal_t * proposals) { ike_payload_header_t *ph; ike_sa_proposal_data_t *prop; ike_sa_transform_data_t *tr; ikev2_sa_proposal_t *p; ikev2_sa_transform_t *t; u8 *tmp; u8 *pr_data = 0; u8 *tr_data = 0; ikev2_payload_add_hdr (c, IKEV2_PAYLOAD_SA, sizeof (*ph)); vec_foreach (p, proposals) { int spi_size = (p->protocol_id == IKEV2_PROTOCOL_ESP) ? 4 : 0; pr_data = vec_new (u8, sizeof (ike_sa_proposal_data_t) + spi_size); prop = (ike_sa_proposal_data_t *) pr_data; prop->last_or_more = proposals - p + 1 < vec_len (proposals) ? 2 : 0; prop->protocol_id = p->protocol_id; prop->proposal_num = p->proposal_num; prop->spi_size = spi_size; prop->num_transforms = vec_len (p->transforms); if (spi_size) prop->spi[0] = clib_host_to_net_u32 (p->spi); vec_foreach (t, p->transforms) { vec_add2 (tr_data, tmp, sizeof (*tr) + vec_len (t->attrs)); tr = (ike_sa_transform_data_t *) tmp; tr->last_or_more = ((t - p->transforms) + 1 < vec_len (p->transforms)) ? 3 : 0; tr->transform_type = t->type; tr->transform_id = clib_host_to_net_u16 (t->transform_id); tr->transform_len = clib_host_to_net_u16 (sizeof (*tr) + vec_len (t->attrs)); if (vec_len (t->attrs) > 0) clib_memcpy_fast (tr->attributes, t->attrs, vec_len (t->attrs)); } prop->proposal_len = clib_host_to_net_u16 (vec_len (tr_data) + vec_len (pr_data)); ikev2_payload_add_data (c, pr_data); ikev2_payload_add_data (c, tr_data); vec_free (pr_data); vec_free (tr_data); } } void ikev2_payload_add_ke (ikev2_payload_chain_t * c, u16 dh_group, u8 * dh_data) { ike_ke_payload_header_t *ke; ke = (ike_ke_payload_header_t *) ikev2_payload_add_hdr (c, IKEV2_PAYLOAD_KE, sizeof (*ke)); ke->dh_group = clib_host_to_net_u16 (dh_group); ikev2_payload_add_data (c, dh_data); } void ikev2_payload_add_nonce (ikev2_payload_chain_t * c, u8 * nonce) { ikev2_payload_add_hdr (c, IKEV2_PAYLOAD_NONCE, sizeof (ike_payload_header_t)); ikev2_payload_add_data (c, nonce); } void ikev2_payload_add_id (ikev2_payload_chain_t * c, ikev2_id_t * id, u8 type) { ike_id_payload_header_t *idp; idp = (ike_id_payload_header_t *) ikev2_payload_add_hdr (c, type, sizeof (*idp)); idp->id_type = id->type; ikev2_payload_add_data (c, id->data); } void ikev2_payload_add_delete (ikev2_payload_chain_t * c, ikev2_delete_t * d) { ike_delete_payload_header_t *dp; u16 num_of_spi = vec_len (d); ikev2_delete_t *d2; dp = (ike_delete_payload_header_t *) ikev2_payload_add_hdr (c, IKEV2_PAYLOAD_DELETE, sizeof (*dp)); if (d[0].protocol_id == IKEV2_PROTOCOL_IKE) { dp->protocol_id = 1; } else { dp->protocol_id = d[0].protocol_id; dp->spi_size = 4; dp->num_of_spi = clib_host_to_net_u16 (num_of_spi); vec_foreach (d2, d) { u8 *data = vec_new (u8, 4); u32 spi = clib_host_to_net_u32 (d2->spi); clib_memcpy (data, &spi, 4); ikev2_payload_add_data (c, data); vec_free (data); } } } void ikev2_payload_add_auth (ikev2_payload_chain_t * c, ikev2_auth_t * auth) { ike_auth_payload_header_t *ap; ap = (ike_auth_payload_header_t *) ikev2_payload_add_hdr (c, IKEV2_PAYLOAD_AUTH, sizeof (*ap)); ap->auth_method = auth->method; ikev2_payload_add_data (c, auth->data); } static void ikev2_payload_add_ts_entry (u8 ** data, ikev2_ts_t * ts) { u8 * tmp; ikev2_ts_payload_entry_t *entry; int len = sizeof (*entry); if (ts->ts_type == TS_IPV4_ADDR_RANGE) len += sizeof (ikev2_ip4_addr_pair_t); else len += sizeof (ikev2_ip6_addr_pair_t); vec_add2 (data[0], tmp, len); entry = (ikev2_ts_payload_entry_t *) tmp; entry->ts_type = ts->ts_type; entry->protocol_id = ts->protocol_id; entry->selector_len = clib_host_to_net_u16 (len); entry->start_port = clib_host_to_net_u16 (ts->start_port); entry->end_port = clib_host_to_net_u16 (ts->end_port); if (ts->ts_type == TS_IPV4_ADDR_RANGE) { ikev2_ip4_addr_pair_t *pair = (ikev2_ip4_addr_pair_t*) entry->addr_pair; ip_address_copy_addr (&pair->start_addr, &ts->start_addr); ip_address_copy_addr (&pair->end_addr, &ts->end_addr); } else { ikev2_ip6_addr_pair_t *pair = (ikev2_ip6_addr_pair_t*) entry->addr_pair; ip_address_copy_addr (&pair->start_addr, &ts->start_addr); ip_address_copy_addr (&pair->end_addr, &ts->end_addr); } } void ikev2_payload_add_ts (ikev2_payload_chain_t * c, ikev2_ts_t * ts, u8 type) { ike_ts_payload_header_t *tsh; ikev2_ts_t *ts2; u8 *data = 0; tsh = (ike_ts_payload_header_t *) ikev2_payload_add_hdr (c, type, sizeof (*tsh)); tsh->num_ts = vec_len (ts); vec_foreach (ts2, ts) { ASSERT (ts2->ts_type == TS_IPV4_ADDR_RANGE || ts2->ts_type == TS_IPV6_ADDR_RANGE); ikev2_payload_add_ts_entry (&data, ts2); } ikev2_payload_add_data (c, data); vec_free (data); } void ikev2_payload_chain_add_padding (ikev2_payload_chain_t * c, int bs) { u8 *tmp __attribute__ ((unused)); u8 pad_len = (vec_len (c->data) / bs + 1) * bs - vec_len (c->data); vec_add2 (c->data, tmp, pad_len); c->data[vec_len (c->data) - 1] = pad_len - 1; } ikev2_sa_proposal_t * ikev2_parse_sa_payload (ike_payload_header_t * ikep, u32 rlen) { ikev2_sa_proposal_t *v = 0; ikev2_sa_proposal_t *proposal; ikev2_sa_transform_t *transform; u32 plen = clib_net_to_host_u16 (ikep->length); ike_sa_proposal_data_t *sap; int proposal_ptr = 0; if (sizeof (*ikep) > rlen) return 0; rlen -= sizeof (*ikep); do { if (proposal_ptr + sizeof (*sap) > rlen) goto data_corrupted; sap = (ike_sa_proposal_data_t *) & ikep->payload[proposal_ptr]; int i, transform_ptr; /* IKE proposal should not have SPI */ if (sap->protocol_id == IKEV2_PROTOCOL_IKE && sap->spi_size != 0) goto data_corrupted; /* IKE proposal should not have SPI */ if (sap->protocol_id == IKEV2_PROTOCOL_ESP && sap->spi_size != 4) goto data_corrupted; transform_ptr = proposal_ptr + sizeof (*sap) + sap->spi_size; if (transform_ptr > rlen) goto data_corrupted; vec_add2 (v, proposal, 1); proposal->proposal_num = sap->proposal_num; proposal->protocol_id = sap->protocol_id; if (sap->spi_size == 4) { proposal->spi = clib_net_to_host_u32 (sap->spi[0]); } for (i = 0; i < sap->num_transforms; i++) { ike_sa_transform_data_t *tr = (ike_sa_transform_data_t *) & ikep->payload[transform_ptr]; if (transform_ptr + sizeof (*tr) > rlen) goto data_corrupted; u16 tlen = clib_net_to_host_u16 (tr->transform_len); if (tlen < sizeof (*tr)) goto data_corrupted; vec_add2 (proposal->transforms, transform, 1); transform->type = tr->transform_type; transform->transform_id = clib_net_to_host_u16 (tr->transform_id); if (transform_ptr + tlen > rlen) goto data_corrupted; if (tlen > sizeof (*tr)) vec_add (transform->attrs, tr->attributes, tlen - sizeof (*tr)); transform_ptr += tlen; } proposal_ptr += clib_net_to_host_u16 (sap->proposal_len); } while (proposal_ptr < (plen - sizeof (*ikep)) && sap->last_or_more == 2); /* data validation */ if (proposal_ptr != (plen - sizeof (*ikep)) || sap->last_or_more) goto data_corrupted; return v; data_corrupted: ikev2_elog_detail ("SA payload data corrupted"); ikev2_sa_free_proposal_vector (&v); return 0; } ikev2_ts_t * ikev2_parse_ts_payload (ike_payload_header_t * ikep, u32 rlen) { ike_ts_payload_header_t *tsp = (ike_ts_payload_header_t *) ikep; ikev2_ts_t *r = 0, *ts; ikev2_ip4_addr_pair_t *pair4; ikev2_ip6_addr_pair_t *pair6; int p = 0, n_left; ikev2_ts_payload_entry_t *pe; if (sizeof (*tsp) > rlen) return 0; rlen -= sizeof (*tsp); n_left = tsp->num_ts; while (n_left && p + sizeof (*pe) < rlen) { pe = (ikev2_ts_payload_entry_t *) (((u8 *)tsp->ts) + p); p += sizeof (*pe); if (pe->ts_type != TS_IPV4_ADDR_RANGE && pe->ts_type != TS_IPV6_ADDR_RANGE) { ikev2_elog_uint (IKEV2_LOG_ERROR, "unsupported TS type received (%u)", pe->ts_type); return 0; } vec_add2 (r, ts, 1); ts->ts_type = pe->ts_type; ts->protocol_id = pe->protocol_id; ts->start_port = pe->start_port; ts->end_port = pe->end_port; if (pe->ts_type == TS_IPV4_ADDR_RANGE) { pair4 = (ikev2_ip4_addr_pair_t*) pe->addr_pair; ip_address_set (&ts->start_addr, &pair4->start_addr, AF_IP4); ip_address_set (&ts->end_addr, &pair4->end_addr, AF_IP4); p += sizeof (*pair4); } else { pair6 = (ikev2_ip6_addr_pair_t*) pe->addr_pair; ip_address_set (&ts->start_addr, &pair6->start_addr, AF_IP6); ip_address_set (&ts->end_addr, &pair6->end_addr, AF_IP6); p += sizeof (*pair6); } n_left--; } if (n_left) return 0; return r; } ikev2_notify_t * ikev2_parse_notify_payload (ike_payload_header_t * ikep, u32 rlen) { ike_notify_payload_header_t *n = (ike_notify_payload_header_t *) ikep; u32 plen = clib_net_to_host_u16 (n->length); ikev2_notify_t *r = 0; u32 spi; if (sizeof (*n) > rlen) return 0; r = vec_new (ikev2_notify_t, 1); r->msg_type = clib_net_to_host_u16 (n->msg_type); r->protocol_id = n->protocol_id; if (n->spi_size == 4) { if (sizeof (spi) + sizeof (*n) > rlen) goto cleanup; clib_memcpy (&spi, n->payload, n->spi_size); r->spi = clib_net_to_host_u32 (spi); } else if (n->spi_size == 0) { r->spi = 0; } else { clib_warning ("invalid SPI Size %d", n->spi_size); goto cleanup; } if (plen > (sizeof (*n) + n->spi_size)) { if (plen <= sizeof (*n) + n->spi_size) goto cleanup; u32 data_len = plen - sizeof (*n) - n->spi_size; vec_add (r->data, n->payload + n->spi_size, data_len); } return r; cleanup: vec_free (r); return 0; } void ikev2_parse_vendor_payload (ike_payload_header_t * ikep) { u32 plen = clib_net_to_host_u16 (ikep->length); ikev2_elog_uint (IKEV2_LOG_DEBUG, "vendor payload skipped, len %d", plen); } ikev2_delete_t * ikev2_parse_delete_payload (ike_payload_header_t * ikep, u32 rlen) { ike_delete_payload_header_t * d = (ike_delete_payload_header_t *) ikep; ikev2_delete_t *r = 0, *del; u16 i, num_of_spi; if (rlen < sizeof (*d)) return 0; num_of_spi = clib_net_to_host_u16 (d->num_of_spi); if (d->protocol_id == IKEV2_PROTOCOL_IKE) { r = vec_new (ikev2_delete_t, 1); r->protocol_id = 1; } else { if (sizeof (*d) + num_of_spi * sizeof (u32) > rlen) return 0; for (i = 0; i < num_of_spi; i++) { vec_add2 (r, del, 1); del->protocol_id = d->protocol_id; del->spi = clib_net_to_host_u32 (d->spi[i]); } } return r; } u8 * ikev2_find_ike_notify_payload (ike_header_t * ike, u32 msg_type) { int p = 0; ike_notify_payload_header_t *n; ike_payload_header_t *ikep; u32 payload = ike->nextpayload; while (payload != IKEV2_PAYLOAD_NONE) { ikep = (ike_payload_header_t *) & ike->payload[p]; if (payload == IKEV2_PAYLOAD_NOTIFY) { n = (ike_notify_payload_header_t *)ikep; if (n->msg_type == clib_net_to_host_u16 (msg_type)) return n->payload; } u16 plen = clib_net_to_host_u16 (ikep->length); payload = ikep->nextpayload; p += plen; } return 0; } /* * fd.io coding-style-patch-verification: ON * * Local Variables: * eval: (c-set-style "gnu") * End: */